In 2022, the Black Hat security conference celebrated its 25th anniversary, and our team headed by Hamlet Khodaverdian, from California was in attendance at Blackhat USA 2022. Here’s a much needed round up of our conference experience.
The conference commemorated the event by emphasising the future of security in its two keynote addresses. Both were quite sobering; they discussed the effects of a cyber war that is still raging in Ukraine, the rise of electronic disinformation, and the political unrest that followed unsubstantiated allegations that the 2020 US election was rigged.
As usual, Blackhat Conference has continued with the tradition of never failing to deliver exciting, enlightening, and scary discussions about the state of cyber security. Here are a five talks that we found worth mentioning;
Talk: Starlink hack with $25 dollar modchip
Type: Fault Injection (Glitching in hardware hacking terms)
Speaker: Lennert Wouters
Slides: https://i.blackhat.com/USA-22/Wednesday/US-22-Wouters-Glitched-On-Earth.pdf
A $25 modchip may be used to hack into Starlink terminals, according to a cybersecurity researcher. Lennert Wouters, a security researcher from Belgium, demonstrated how he was able to hack StarLink’s user terminals by glitching, or inflicting a problem, on stage at Black Hat on Thursday. Bypassing Starlink’s security measures, this device enables a fault injection attack that gives users access to control features that Starlink had planned to keep locked down. SpaceX has provided a whitepaper detailing its security procedures in response to his talk, as well as a firmware update that “makes the attack harder, but not impossible to perform.”
Space X (Response): https://api.starlink.com/public-files/StarlinkWelcomesSecurityResearchersBringOnTheBugs.pdf
Glitching, or fault injection is the process of changing voltage levels in a digital system in a manner that causes disruption of the system under test or corruption of data. If timed correctly, a glitch of even 1 millisecond can cause a system to fail open into a potentially privileged state. This type of attack were prevalent in digital satellite TV cards by switching voltage levels either for the clock, or the power supply using power analysis techniques as a starting point.
Talk: Industroyer 2 – Cyberwarfare targeting Ukraine’s power grid
Type: ICS Attack
Speaker: Anton Cherepanov & Robert Lipovsky
Slides: https://i.blackhat.com/USA-22/Wednesday/US-22-Cherepanov-Industroyer2-Sandworms-Cyberwarfare-Targets-Ukraines-Power-Grid-Again.pdf
A new variant of the malware that causes energy blackouts, known as Industroyer2, was introduced in Ukraine while the Russian invasion was still in progress. Similar to the initial Industroyer attack in 2016, this most recent cyber-attack targeted 2 million (two million) persons with new components magnifying the harm and making recovery more difficult for the target. If you’re not familiar with the ongoing cyber-attacks in Ukraine, you can read our blog article to get a glimpse, https://lmntrix.com/blog/how-cybercriminals-take-adv-russia-ukraine-cyber-war/
Victor Zhora, one of the top cyber security officials from Ukraine made it to Blackhat USA, was one unexpected visitor we discovered. He said that since Russia invaded Ukraine, there have been thrice times as many cyber-attacks, and the Industroyer2 malware has done a lot of harm. According to him, there have been 1600 significant cyber events, and one of the terrifying capabilities of Industroyer2 is the ability to manipulate electrical utilities in order to control the flow of power. Victor Zhora is the vice-chairperson at Ukraine’s Service of Special Communications and Information Protection.
Talk: Monitoring Surveillance Vendors: A Deep Dive into Android Full Chains (2021)
Type: Exploit Development
Speaker: Google Threat Analysis Group
Slides: https://i.blackhat.com/USA-22/Wednesday/US-22-Jin-Monitoring-Surveillance-Vendors.pdf
This talk focused on the vendor who created the CVE-2021-0920 exploit and link multiple Android 0-day/N-day exploit samples to this vendor, including attempts to submit a malicious app to the Google Play store, and early use of the Bad Binder exploit. One of the biggest stories of the recent year(s) was the exposure of commercial software vendors as dangerous spyware merchants, with companies such as NSO Group (Pegasus), Candiru, Gamma Group (Finfisher), Hacking Team, VUPEN, and Cytrox making global headlines. Google’s research team has the rare opportunity to examine the work of these exploitation firms, and the premise of this talk was promising, a welcome step in 2022.
Talk: Browser-Powered Desync Attacks using HTTP Request Smuggling
Type: Web Application Security
Speaker: James Kettle
Slides: http://i.blackhat.com/USA-22/Wednesday/us-22-Kettle-Browser-Powered-Desync-Attacks.pdf
This talk featured a live demo breaking HTTPs on Apache.HTTP Request Smuggling is a technique that is frequently used as part of a modern penetration tester’s arsenal, and it has significantly raised the stakes for web application security. James Kettle has made significant advances in this area of research, and we believe the demonstration will draw a great deal of attention.
Bonus Talk/Defcon 30: Zoom auto updater allows root access to macOS
Type: Local Privilege Escalation
Speaker: Patrick Wardle
Slides: https://speakerdeck.com/patrickwardle/youre-muted-rooted
Zoom has become an essential communications tool for many organisations, being deployed on millions of devices worldwide as a result of the recent widespread shift to remote and hybrid working. During a talk at Defcon 30, security researcher Patrick Wardle revealed that a flaw in Zoom’s installer for macOS could allow attackers to gain full access to the operating system, including system files and sensitive user documents. He discovered that the Zoom macOS installer has an auto-update function that runs in the background with elevated privileges, allowing an attacker to run any programme and gain those privileges. Despite the fact that the flaw was not patched at the time of the BlackHat presentation, Zoom fixed the problem over the weekend.
Black Hat never fails to deliver exciting, enlightening, and distressing discussions about the state of cyber security and the above is what we saw that impressed and worried us the most.